X-Git-Url: https://git.donarmstrong.com/?a=blobdiff_plain;f=spamass-milter.cpp;h=581829358bd8cdeb1f053e0a6ad14a3c30f757d5;hb=b9df85a994d2be845dc3f7c76920fae684c1b606;hp=1b89268fcda6679dfb33bfd250f5f37d59c76ded;hpb=3004c9bd6381217f2fc604d8f90b8af789e15fb2;p=deb_pkgs%2Fspamass-milter.git diff --git a/spamass-milter.cpp b/spamass-milter.cpp index 1b89268..5818293 100644 --- a/spamass-milter.cpp +++ b/spamass-milter.cpp @@ -172,10 +172,6 @@ bool flag_expand = false; /* alias/virtusertable expansion */ bool ignore_authenticated_senders = false; bool warnedmacro = false; /* have we logged that we couldn't fetch a macro? */ -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ -static pthread_mutex_t popen_mutex = PTHREAD_MUTEX_INITIALIZER; -#endif - // {{{ main() int @@ -187,6 +183,7 @@ main(int argc, char* argv[]) bool dofork = false; char *pidfilename = NULL; FILE *pidfile = NULL; + struct sigaction children_sigaction; #ifdef HAVE_VERBOSE_TERMINATE_HANDLER std::set_terminate (__gnu_cxx::__verbose_terminate_handler); @@ -467,59 +464,26 @@ assassinate(SMFICTX* ctx, SpamAssassin* assassin) send another copy. The milter API will not let you send the message AND return a failure code to the sender, so this is the only way to do it. */ -#if defined(__FreeBSD__) - int rv; -#endif - -#if defined(HAVE_ASPRINTF) - char *buf; -#else - char buf[1024]; -#endif - char *fmt="%s \"%s\""; + char *popen_argv[3]; FILE *p; + pid_t pid; -#if defined(HAVE_ASPRINTF) - asprintf(&buf, fmt, SENDMAIL, spambucket); -#else -#if defined(HAVE_SNPRINTF) - snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, spambucket); -#else - /* XXX possible buffer overflow here */ - sprintf(buf, fmt, SENDMAIL, spambucket); -#endif -#endif - - debug(D_COPY, "calling %s", buf); -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ - rv = pthread_mutex_lock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv)); - abort(); - } -#endif - p = popen(buf, "w"); + popen_argv[0] = SENDMAIL; + popen_argv[1] = spambucket; + popen_argv[2] = NULL; + + debug(D_COPY, "calling %s %s", SENDMAIL, spambucket); + p = popenv(popen_argv, "w",&pid); if (!p) { - debug(D_COPY, "popen failed(%s). Will not send a copy to spambucket", strerror(errno)); + debug(D_COPY, "popenv failed(%s). Will not send a copy to spambucket", strerror(errno)); } else { // Send message provided by SpamAssassin fwrite(assassin->d().c_str(), assassin->d().size(), 1, p); - pclose(p); p = NULL; + fclose(p); p = NULL; + waitpid(pid,0,0); } -#if defined(__FreeBSD__) - rv = pthread_mutex_unlock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv)); - abort(); - } -#endif -#if defined(HAVE_ASPRINTF) - free(buf); -#endif } return SMFIS_REJECT; } @@ -864,30 +828,20 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcpt) /* open a pipe to sendmail so we can do address expansion */ char buf[1024]; - char *fmt="%s -bv \"%s\" 2>&1"; - -#if defined(HAVE_SNPRINTF) - snprintf(buf, sizeof(buf)-1, fmt, SENDMAIL, envrcpt[0]); -#else - /* XXX possible buffer overflow here */ - sprintf(buf, fmt, SENDMAIL, envrcpt[0]); -#endif + char *popen_argv[4]; + pid_t pid; + + popen_argv[0] = SENDMAIL; + popen_argv[1] = "-bv"; + popen_argv[2] = envrcpt[0]; + popen_argv[3] = NULL; - debug(D_RCPT, "calling %s", buf); + debug(D_RCPT, "calling %s -bv %s", SENDMAIL, envrcpt[0]); -#if defined(__FreeBSD__) /* popen bug - see PR bin/50770 */ - rv = pthread_mutex_lock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not lock popen mutex: %s", strerror(rv)); - abort(); - } -#endif - - p = popen(buf, "r"); + p = popenv(popen_argv, "r", &pid); if (!p) { - debug(D_RCPT, "popen failed(%s). Will not expand aliases", strerror(errno)); + debug(D_RCPT, "popenv failed(%s). Will not expand aliases", strerror(errno)); assassin->expandedrcpt.push_back(envrcpt[0]); } else { @@ -912,16 +866,10 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcpt) assassin->expandedrcpt.push_back(p+7); } } - pclose(p); p = NULL; + fclose(p); p = NULL; + waitpid(pid,0,0); + } -#if defined(__FreeBSD__) - rv = pthread_mutex_unlock(&popen_mutex); - if (rv) - { - debug(D_ALWAYS, "Could not unlock popen mutex: %s", strerror(rv)); - abort(); - } -#endif } else { assassin->expandedrcpt.push_back(envrcpt[0]); @@ -1024,9 +972,9 @@ mlfi_envrcpt(SMFICTX* ctx, char** envrcpt) assassin->output((string) "Received: from "+macro_s+" ("+macro__+")\r\n\t"+ - "by "+macro_j+"("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+ + "by "+macro_j+" ("+macro_v+"/"+macro_Z+") with "+macro_r+" id "+macro_i+"\r\n\t"+ macro_b+"\r\n\t"+ - "(envelope-from "+assassin->from()+"\r\n"); + "(envelope-from "+assassin->from()+")\r\n"); } else assassin->output((string)"X-Envelope-To: "+envrcpt[0]+"\r\n"); @@ -2179,5 +2127,74 @@ void warnmacro(char *macro, char *scope) warnedmacro = true; } +/* + untrusted-argument-safe popen function - only supports "r" and "w" modes + for simplicity, and always reads stdout and stderr in "r" mode. Call + fclose to close the FILE. +*/ +FILE *popenv(char *const argv[], const char *type, pid_t *pid) +{ + FILE *iop; + int pdes[2]; + int save_errno; + + if ((*type != 'r' && *type != 'w') || type[1]) + { + errno = EINVAL; + return (NULL); + } + if (pipe(pdes) < 0) + return (NULL); + + *pid = fork(); + switch (*pid) { + + case -1: /* Error. */ + save_errno = errno; + (void)close(pdes[0]); + (void)close(pdes[1]); + errno = save_errno; + return (NULL); + /* NOTREACHED */ + case 0: /* Child. */ + if (*type == 'r') { + /* + * The dup2() to STDIN_FILENO is repeated to avoid + * writing to pdes[1], which might corrupt the + * parent's copy. This isn't good enough in + * general, since the exit() is no return, so + * the compiler is free to corrupt all the local + * variables. + */ + (void)close(pdes[0]); + (void)dup2(pdes[1], STDOUT_FILENO); + (void)dup2(pdes[1], STDERR_FILENO); + if (pdes[1] != STDOUT_FILENO && pdes[1] != STDERR_FILENO) { + (void)close(pdes[1]); + } + } else { + if (pdes[0] != STDIN_FILENO) { + (void)dup2(pdes[0], STDIN_FILENO); + (void)close(pdes[0]); + } + (void)close(pdes[1]); + } + execv(argv[0], argv); + exit(127); + /* NOTREACHED */ + } + + /* Parent; assume fdopen can't fail. */ + if (*type == 'r') { + iop = fdopen(pdes[0], type); + (void)close(pdes[1]); + } else { + iop = fdopen(pdes[1], type); + (void)close(pdes[0]); + } + + return (iop); +} + // }}} // vim6:ai:noexpandtab